![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / devel / ruby-activesupport61
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.21 / (download) - annotate - [select for diffs], Sat Feb 24 14:42:39 2024 UTC (7 weeks, 5 days ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2024Q1-base,
pkgsrc-2024Q1,
HEAD
Changes since 1.20: +4 -4
lines
Diff to previous 1.20 (colored)
www/rails61: update to 6.1.7.7 Update rails61 and related pacakges to 6.1.7.7 This includes security fix for CVE-2024-26144, devel/ruby-activestorage61. Active Storage * Disables the session in ActiveStorage::Blobs::ProxyController and ActiveStorage::Representations::ProxyController in order to allow caching by default in some CDNs as CloudFlare Fixes #44136 Bruno Prieto
Revision 1.20 / (download) - annotate - [select for diffs], Sat Aug 26 15:23:28 2023 UTC (7 months, 3 weeks ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2023Q4-base,
pkgsrc-2023Q4,
pkgsrc-2023Q3-base,
pkgsrc-2023Q3
Changes since 1.19: +4 -4
lines
Diff to previous 1.19 (colored)
www/ruby-rails61: update to 6.1.7.6 6.1.7.5 (2023-08-22) Active Support * Use a temporary file for storing unencrypted files while editing [CVE-2023-38037] 6.1.7.6 (2023-08-22) * No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
Revision 1.18.4.1 / (download) - annotate - [select for diffs], Fri Jun 30 18:41:55 2023 UTC (9 months, 2 weeks ago) by bsiegert
Branch: pkgsrc-2023Q2
Changes since 1.18: +4 -4
lines
Diff to previous 1.18 (colored) next main 1.19 (colored)
Pullup ticket #6766 - requested by taca
www/ruby-rails61: security fix
Revisions pulled up:
- databases/ruby-activerecord61/distinfo 1.19
- devel/ruby-activejob61/distinfo 1.19
- devel/ruby-activemodel61/distinfo 1.19
- devel/ruby-activestorage61/distinfo 1.19
- devel/ruby-activesupport61/distinfo 1.19
- devel/ruby-railties61/distinfo 1.19
- lang/ruby/rails.mk 1.146
- mail/ruby-actionmailbox61/distinfo 1.19
- mail/ruby-actionmailer61/distinfo 1.19
- textproc/ruby-actiontext61/distinfo 1.19
- www/ruby-actioncable61/distinfo 1.19
- www/ruby-actionpack61/distinfo 1.19
- www/ruby-actionview61/distinfo 1.19
- www/ruby-rails61/distinfo 1.19
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Jun 27 13:35:19 UTC 2023
Modified Files:
pkgsrc/databases/ruby-activerecord61: distinfo
pkgsrc/devel/ruby-activejob61: distinfo
pkgsrc/devel/ruby-activemodel61: distinfo
pkgsrc/devel/ruby-activestorage61: distinfo
pkgsrc/devel/ruby-activesupport61: distinfo
pkgsrc/devel/ruby-railties61: distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailbox61: distinfo
pkgsrc/mail/ruby-actionmailer61: distinfo
pkgsrc/textproc/ruby-actiontext61: distinfo
pkgsrc/www/ruby-actioncable61: distinfo
pkgsrc/www/ruby-actionpack61: distinfo
pkgsrc/www/ruby-actionview61: distinfo
pkgsrc/www/ruby-rails61: distinfo
Log Message:
www/rails61: update to 6.1.7.4
Rails 6.1.7.4 (2023-06-26)
Action Pack
* Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
*Zack Deveau*
Revision 1.19 / (download) - annotate - [select for diffs], Tue Jun 27 13:35:17 2023 UTC (9 months, 3 weeks ago) by taca
Branch: MAIN
Changes since 1.18: +4 -4
lines
Diff to previous 1.18 (colored)
www/rails61: update to 6.1.7.4
Rails 6.1.7.4 (2023-06-26)
Action Pack
* Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
*Zack Deveau*
Revision 1.18 / (download) - annotate - [select for diffs], Wed Mar 15 13:31:47 2023 UTC (13 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2023Q2-base,
pkgsrc-2023Q1-base,
pkgsrc-2023Q1
Branch point for: pkgsrc-2023Q2
Changes since 1.17: +4 -4
lines
Diff to previous 1.17 (colored)
www/ruby-rails61: update to 6.1.7.3 6.1.7.3 (2023-03-13) Active Support * Implement SafeBuffer#bytesplice [CVE-2023-28120] Action View * Ignore certain data-* attributes in rails-ujs when element is contenteditable [CVE-2023-23913]
Revision 1.15.4.1 / (download) - annotate - [select for diffs], Sat Mar 4 14:10:22 2023 UTC (13 months, 2 weeks ago) by spz
Branch: pkgsrc-2022Q4
Changes since 1.15: +4 -4
lines
Diff to previous 1.15 (colored) next main 1.16 (colored)
Pullup ticket #6733 - requested by taca
databases/ruby-activerecord61: security update
devel/ruby-activejob61: distinfo update
devel/ruby-activemodel61: distinfo update
devel/ruby-activestorage61: distinfo update
devel/ruby-activesupport61: security update
devel/ruby-railties61: distinfo update
mail/ruby-actionmailbox61: distinfo update
mail/ruby-actionmailer61: distinfo update
textproc/ruby-actiontext61: sdistinfo update
www/ruby-actioncable61: distinfo update
www/ruby-actionpack61: security update
www/ruby-actionview61: distinfo update
www/ruby-rails61: distinfo update
Revisions pulled up:
- databases/ruby-activerecord61/distinfo 1.16-1.17
- devel/ruby-activejob61/distinfo 1.16-1.17
- devel/ruby-activemodel61/distinfo 1.16-1.17
- devel/ruby-activestorage61/distinfo 1.16-1.17
- devel/ruby-activesupport61/distinfo 1.16-1.17
- devel/ruby-railties61/distinfo 1.16-1.17
- lang/ruby/rails.mk 1.139,1.141
- mail/ruby-actionmailbox61/distinfo 1.16-1.17
- mail/ruby-actionmailer61/distinfo 1.16-1.17
- textproc/ruby-actiontext61/distinfo 1.16-1.17
- www/ruby-actioncable61/distinfo 1.16-1.17
- www/ruby-actionpack61/Makefile 1.4
- www/ruby-actionpack61/distinfo 1.16-1.17
- www/ruby-actionview61/distinfo 1.16-1.17
- www/ruby-rails61/distinfo 1.16-1.17
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 19 14:31:11 UTC 2023
Modified Files:
pkgsrc/databases/ruby-activerecord61: distinfo
pkgsrc/devel/ruby-activejob61: distinfo
pkgsrc/devel/ruby-activemodel61: distinfo
pkgsrc/devel/ruby-activestorage61: distinfo
pkgsrc/devel/ruby-activesupport61: distinfo
pkgsrc/devel/ruby-railties61: distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailbox61: distinfo
pkgsrc/mail/ruby-actionmailer61: distinfo
pkgsrc/textproc/ruby-actiontext61: distinfo
pkgsrc/www/ruby-actioncable61: distinfo
pkgsrc/www/ruby-actionpack61: Makefile distinfo
pkgsrc/www/ruby-actionview61: distinfo
pkgsrc/www/ruby-rails61: distinfo
Log Message:
www/ruby-rails61: update to 6.1.7.1
Rails 6.1.7.1 (2023-01-17)
devel/ruby-activesupport61
* Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
www/ruby-actionpack61
* Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
* Use string#split instead of regex for domain parts
[CVE-2023-22792]
databases/ruby-activerecord61
* Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
* Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 pkgsrc/databases/ruby-activerecord61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/devel/ruby-activejob61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/devel/ruby-activemodel61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/devel/ruby-activestorage61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/devel/ruby-activesupport61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/devel/ruby-railties61/distinfo
cvs rdiff -u -r1.138 -r1.139 pkgsrc/lang/ruby/rails.mk
cvs rdiff -u -r1.15 -r1.16 pkgsrc/mail/ruby-actionmailbox61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/mail/ruby-actionmailer61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/textproc/ruby-actiontext61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/ruby-actioncable61/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-actionpack61/Makefile
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/ruby-actionpack61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/ruby-actionview61/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/ruby-rails61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Wed Jan 25 13:27:10 UTC 2023
Modified Files:
pkgsrc/databases/ruby-activerecord61: distinfo
pkgsrc/devel/ruby-activejob61: distinfo
pkgsrc/devel/ruby-activemodel61: distinfo
pkgsrc/devel/ruby-activestorage61: distinfo
pkgsrc/devel/ruby-activesupport61: distinfo
pkgsrc/devel/ruby-railties61: distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailbox61: distinfo
pkgsrc/mail/ruby-actionmailer61: distinfo
pkgsrc/textproc/ruby-actiontext61: distinfo
pkgsrc/www/ruby-actioncable61: distinfo
pkgsrc/www/ruby-actionpack61: distinfo
pkgsrc/www/ruby-actionview61: distinfo
pkgsrc/www/ruby-rails61: distinfo
Log Message:
www/ruby-rails61: update to 6.1.7.2
Rails 6.1.7.2 (2023-01-24)
www/ruby-actionpack61
* Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 pkgsrc/databases/ruby-activerecord61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activejob61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activemodel61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activestorage61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-activesupport61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/devel/ruby-railties61/distinfo
cvs rdiff -u -r1.140 -r1.141 pkgsrc/lang/ruby/rails.mk
cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/ruby-actionmailbox61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/ruby-actionmailer61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/textproc/ruby-actiontext61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actioncable61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actionpack61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-actionview61/distinfo
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/ruby-rails61/distinfo
Revision 1.17 / (download) - annotate - [select for diffs], Wed Jan 25 13:27:09 2023 UTC (14 months, 3 weeks ago) by taca
Branch: MAIN
Changes since 1.16: +4 -4
lines
Diff to previous 1.16 (colored)
www/ruby-rails61: update to 6.1.7.2
Rails 6.1.7.2 (2023-01-24)
www/ruby-actionpack61
* Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
Revision 1.16 / (download) - annotate - [select for diffs], Thu Jan 19 14:31:10 2023 UTC (14 months, 4 weeks ago) by taca
Branch: MAIN
Changes since 1.15: +4 -4
lines
Diff to previous 1.15 (colored)
www/ruby-rails61: update to 6.1.7.1
Rails 6.1.7.1 (2023-01-17)
devel/ruby-activesupport61
* Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
www/ruby-actionpack61
* Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
* Use string#split instead of regex for domain parts
[CVE-2023-22792]
databases/ruby-activerecord61
* Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
* Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
Revision 1.15 / (download) - annotate - [select for diffs], Sat Sep 10 08:24:40 2022 UTC (19 months, 1 week ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base,
pkgsrc-2022Q3-base,
pkgsrc-2022Q3
Branch point for: pkgsrc-2022Q4
Changes since 1.14: +4 -4
lines
Diff to previous 1.14 (colored)
www/ruby-rails61: update to 6.1.7 Ruby on Rails 6.1.7 release on 9th September 2022. Active Record and Active Storage are updated: Active Record * Symbol is allowed by default for YAML columns tienne Barrié * Fix ActiveRecord::Store to serialize as a regular Hash Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess which is wasteful and cause problem with YAML safe_load. Jean Boussier * Fix PG.connect keyword arguments deprecation warning on ruby 2.7 Fixes . Nikita Vasilevsky Active Storage * Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0. fatkodima
Revision 1.13.2.1 / (download) - annotate - [select for diffs], Sat Jul 23 19:35:07 2022 UTC (20 months, 3 weeks ago) by spz
Branch: pkgsrc-2022Q2
Changes since 1.13: +4 -4
lines
Diff to previous 1.13 (colored) next main 1.14 (colored)
Pullup ticket #6655 - requested by taca
databases/ruby-activerecord61: security update
devel/ruby-activejob61: security update
devel/ruby-activemodel61: security update
devel/ruby-activestorage61: security update
devel/ruby-activesupport61: security update
devel/ruby-railties61: security update
mail/ruby-actionmailbox61: security update
mail/ruby-actionmailer61: security update
textproc/ruby-actiontext61: security update
www/ruby-actioncable61: security update
www/ruby-actionpack61: security update
www/ruby-actionview61: security update
www/ruby-rails61: security update
Revisions pulled up:
- databases/ruby-activerecord61/distinfo 1.14
- devel/ruby-activejob61/distinfo 1.14
- devel/ruby-activemodel61/distinfo 1.14
- devel/ruby-activestorage61/distinfo 1.14
- devel/ruby-activesupport61/distinfo 1.14
- devel/ruby-railties61/Makefile 1.4
- devel/ruby-railties61/distinfo 1.14
- lang/ruby/rails.mk 1.131
- mail/ruby-actionmailbox61/distinfo 1.14
- mail/ruby-actionmailer61/distinfo 1.14
- textproc/ruby-actiontext61/distinfo 1.14
- www/ruby-actioncable61/distinfo 1.14
- www/ruby-actionpack61/distinfo 1.14
- www/ruby-actionview61/distinfo 1.14
- www/ruby-rails61/distinfo 1.14
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Wed Jul 13 14:46:24 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord61: distinfo
pkgsrc/devel/ruby-activejob61: distinfo
pkgsrc/devel/ruby-activemodel61: distinfo
pkgsrc/devel/ruby-activestorage61: distinfo
pkgsrc/devel/ruby-activesupport61: distinfo
pkgsrc/devel/ruby-railties61: Makefile distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailbox61: distinfo
pkgsrc/mail/ruby-actionmailer61: distinfo
pkgsrc/textproc/ruby-actiontext61: distinfo
pkgsrc/www/ruby-actioncable61: distinfo
pkgsrc/www/ruby-actionpack61: distinfo
pkgsrc/www/ruby-actionview61: distinfo
pkgsrc/www/ruby-rails61: distinfo
Log Message:
www/ruby-rails61: update to 6.1.6.1
Rails 6.1.6.1 (2022-07-12) updates databases/ruby-activerecord61 only.
databases/ruby-activerecord61
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 pkgsrc/databases/ruby-activerecord61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/ruby-activejob61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/ruby-activemodel61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/ruby-activestorage61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/ruby-activesupport61/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/ruby-railties61/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/ruby-railties61/distinfo
cvs rdiff -u -r1.130 -r1.131 pkgsrc/lang/ruby/rails.mk
cvs rdiff -u -r1.13 -r1.14 pkgsrc/mail/ruby-actionmailbox61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/mail/ruby-actionmailer61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/textproc/ruby-actiontext61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/ruby-actioncable61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/ruby-actionpack61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/ruby-actionview61/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/ruby-rails61/distinfo
Revision 1.14 / (download) - annotate - [select for diffs], Wed Jul 13 14:46:23 2022 UTC (21 months ago) by taca
Branch: MAIN
Changes since 1.13: +4 -4
lines
Diff to previous 1.13 (colored)
www/ruby-rails61: update to 6.1.6.1 Rails 6.1.6.1 (2022-07-12) updates databases/ruby-activerecord61 only. databases/ruby-activerecord61 * Change ActiveRecord::Coders::YAMLColumn default to safe_load This adds two new configuration options The configuration options are as follows: o config.active_storage.use_yaml_unsafe_load When set to true, this configuration option tells Rails to use the old "unsafe" YAML loading strategy, maintaining the existing behavior but leaving the possible escalation vulnerability in place. Setting this option to true is *not* recommended, but can aid in upgrading. o config.active_record.yaml_column_permitted_classes The "safe YAML" loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed "safe" in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list as follows: config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] [CVE-2022-32224]
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jun 7 15:05:22 2022 UTC (22 months, 1 week ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base
Branch point for: pkgsrc-2022Q2
Changes since 1.12: +4 -4
lines
Diff to previous 1.12 (colored)
www/ruby-rails61: update to 6.1.6 Ruby on Rails 6.1.6 (2022-05-12) Active Support * Fix and add protections for XSS in ActionView::Helpers and ERB::Util. Add the method ERB::Util.xml_name_escape to escape dangerous characters in names of tags and names of attributes, following the specification of XML. Action View * Fix and add protections for XSS in ActionView::Helpers and ERB::Util. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option :escape_attributes to :escape, to simplify by applying the option to the whole tag. Action Pack * Allow Content Security Policy DSL to generate for API responses.
Revision 1.11.2.1 / (download) - annotate - [select for diffs], Sat Jun 4 09:31:41 2022 UTC (22 months, 2 weeks ago) by spz
Branch: pkgsrc-2022Q1
Changes since 1.11: +4 -4
lines
Diff to previous 1.11 (colored) next main 1.12 (colored)
Pullup ticket #6630 - requested by taca
databases/ruby-activerecord61: security update
devel/ruby-activejob61: security update
devel/ruby-activemodel61: security update
devel/ruby-activestorage61: security update
devel/ruby-activesupport61: security update
devel/ruby-railties61: security update
lang/ruby: version info update
mail/ruby-actionmailbox61: security update
mail/ruby-actionmailer61: security update
textproc/ruby-actiontext61: security update
www/ruby-actioncable61: security update
www/ruby-actionpack61: security update
www/ruby-actionview61: security update
www/ruby-rails61: security update
Revisions pulled up:
- databases/ruby-activerecord61/distinfo 1.12
- devel/ruby-activejob61/distinfo 1.12
- devel/ruby-activemodel61/distinfo 1.12
- devel/ruby-activestorage61/Makefile 1.5
- devel/ruby-activestorage61/distinfo 1.12
- devel/ruby-activesupport61/Makefile 1.4
- devel/ruby-activesupport61/distinfo 1.12
- devel/ruby-railties61/distinfo 1.12
- lang/ruby/rails.mk 1.121
- mail/ruby-actionmailbox61/PLIST 1.2
- mail/ruby-actionmailbox61/distinfo 1.12
- mail/ruby-actionmailer61/PLIST 1.2
- mail/ruby-actionmailer61/distinfo 1.12
- textproc/ruby-actiontext61/distinfo 1.12
- www/ruby-actioncable61/distinfo 1.12
- www/ruby-actionpack61/distinfo 1.12
- www/ruby-actionview61/distinfo 1.12
- www/ruby-rails61/distinfo 1.12
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:38:25 UTC 2022
Modified Files:
pkgsrc/lang/ruby: rails.mk
Log Message:
lang/ruby/rails.mk: Really update of Ruby on Rails to 6.1.5.1
To generate a diff of this commit:
cvs rdiff -u -r1.120 -r1.121 pkgsrc/lang/ruby/rails.mk
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:28:21 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activesupport61: Makefile distinfo
Log Message:
devel/ruby-activesupport61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.
*Áìvaro Martíî Fraguas*
## Rails 6.1.5 (March 09, 2022) ##
* Fix `ActiveSupport::Duration.build` to support negative values.
The algorithm to collect the `parts` of the `ActiveSupport::Duration`
ignored the sign of the `value` and accumulated incorrect part values. This
impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but
not `ActiveSupport::Duration#eql?` (which is dependent on `value`).
*Caleb Buxton*, *Braden Staudacher*
* `Time#change` and methods that call it (eg. `Time#advance`) will now
return a `Time` with the timezone argument provided, if the caller was
initialized with a timezone argument.
Fixes [#42467](https://github.com/rails/rails/issues/42467).
*Alex Ghiculescu*
* Clone to keep extended Logger methods for tagged logger.
*Orhan Toy*
* `assert_changes` works on including `ActiveSupport::Assertions` module.
*Pedro Medeiros*
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/ruby-activesupport61/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activesupport61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:28:57 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activemodel61: distinfo
Log Message:
devel/ruby-activemodel61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* Clear secure password cache if password is set to `nil`
Before:
user.password = 'something'
user.password = nil
user.password # => 'something'
Now:
user.password = 'something'
user.password = nil
user.password # => nil
*Markus Doits*
* Fix delegation in `ActiveModel::Type::Registry#lookup` and `ActiveModel::Type.lookup`
Passing a last positional argument `{}` would be incorrectly considered as keyword argument.
*Benoit Daloze*
* Fix `to_json` after `changes_applied` for `ActiveModel::Dirty` object.
*Ryuta Kamizono*
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activemodel61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:29:32 UTC 2022
Modified Files:
pkgsrc/www/ruby-actionview61: distinfo
Log Message:
www/ruby-actionview61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
`:escape_attributes` to `:escape`, to simplify by applying the option to the
whole tag.
*Áìvaro Martíî Fraguas*
## Rails 6.1.5 (March 09, 2022) ##
* `preload_link_tag` properly inserts `as` attributes for files with `image` MIME
types, such as JPG or SVG.
*Nate Berkopec*
* Add `autocomplete="off"` to all generated hidden fields.
Fixes #42610.
*Ryan Baumann*
* Fix `current_page?` when URL has trailing slash.
This fixes the `current_page?` helper when the given URL has a trailing slash,
and is an absolute URL or also has query params.
Fixes #33956.
*Jonathan Hefner*
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actionview61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:30:02 UTC 2022
Modified Files:
pkgsrc/www/ruby-actionpack61: distinfo
Log Message:
www/ruby-actionpack61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* Allow Content Security Policy DSL to generate for API responses.
*Tim Wade*
## Rails 6.1.5 (March 09, 2022) ##
* Fix `content_security_policy` returning invalid directives.
Directives such as `self`, `unsafe-eval` and few others were not
single quoted when the directive was the result of calling a lambda
returning an array.
```ruby
content_security_policy do |policy|
policy.frame_ancestors lambda { [:self, "https://example.com"] }
end
```
With this fix the policy generated from above will now be valid.
*Edouard Chin*
* Update `HostAuthorization` middleware to render debug info only
when `config.consider_all_requests_local` is set to true.
Also, blocked host info is always logged with level `error`.
Fixes #42813.
*Nikita Vyrko*
* Dup arrays that get "converted".
Fixes #43681.
*Aaron Patterson*
* Don't show deprecation warning for equal paths.
*Anton Rieder*
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
Fixes #43094.
*Alex Ghiculescu*
* Add fallback host for SystemTestCase driven by RackTest.
Fixes #42780.
*Petrik de Heus*
* Add more detail about what hosts are allowed.
*Alex Ghiculescu*
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actionpack61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:30:33 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord61: distinfo
Log Message:
databases/ruby-activerecord61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6.
Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method.
In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances.
This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
fixed in Ruby 2.7.
Before the changes in this commit, the
`ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally
calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 --
changing a tainted, unfrozen string into a tainted, frozen string.
Fixes #43056
*Eric O'Hanlon*
* Fix migration compatibility to create SQLite references/belongs_to column as integer when
migration version is 6.0.
`reference`/`belongs_to` in migrations with version 6.0 were creating columns as
bigint instead of integer for the SQLite Adapter.
*Marcelo Lauxen*
* Fix dbconsole for 3-tier config.
*Eileen M. Uchitelle*
* Better handle SQL queries with invalid encoding.
```ruby
Post.create(name: "broken \xC8 UTF-8")
```
Would cause all adapters to fail in a non controlled way in the code
responsible to detect write queries.
The query is now properly passed to the database connection, which might or might
not be able to handle it, but will either succeed or failed in a more correct way.
*Jean Boussier*
* Ignore persisted in-memory records when merging target lists.
*Kevin Sjöâerg*
* Fix regression bug that caused ignoring additional conditions for preloading
`has_many` through relations.
Fixes #43132
*Alexander Pauly*
* Fix `ActiveRecord::InternalMetadata` to not be broken by
`config.active_record.record_timestamps = false`
Since the model always create the timestamp columns, it has to set them, otherwise it breaks
various DB management tasks.
Fixes #42983
*Jean Boussier*
* Fix duplicate active record objects on `inverse_of`.
*Justin Carvalho*
* Fix duplicate objects stored in has many association after save.
Fixes #42549.
*Alex Ghiculescu*
* Fix performance regression in `CollectionAssocation#build`.
*Alex Ghiculescu*
* Fix retrieving default value for text column for MariaDB.
*fatkodima*
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/databases/ruby-activerecord61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:31:02 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activestorage61: Makefile distinfo
Log Message:
devel/ruby-activestorage61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* Attachments can be deleted after their association is no longer defined.
Fixes #42514
*Don Sisco*
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 pkgsrc/devel/ruby-activestorage61/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activestorage61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:31:47 UTC 2022
Modified Files:
pkgsrc/mail/ruby-actionmailbox61: PLIST distinfo
Log Message:
mail/ruby-actionmailbox61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* Add `attachments` to the list of permitted parameters for inbound emails conductor.
When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
```ruby
config.action_controller.action_on_unpermitted_parameters = :raise
```
*David Jones*, *Dana Henke*
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/ruby-actionmailbox61/PLIST
cvs rdiff -u -r1.11 -r1.12 pkgsrc/mail/ruby-actionmailbox61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:32:28 UTC 2022
Modified Files:
pkgsrc/www/ruby-actioncable61: distinfo
Log Message:
www/ruby-actioncable61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* The Action Cable client now ensures successful channel subscriptions:
* The client maintains a set of pending subscriptions until either
the server confirms the subscription or the channel is torn down.
* Rectifies the race condition where an unsubscribe is rapidly followed
by a subscribe (on the same channel identifier) and the requests are
handled out of order by the ActionCable server, thereby ignoring the
subscribe command.
*Daniel Spinosa*
* Truncate broadcast logging messages.
*J Smith*
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-actioncable61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:32:59 UTC 2022
Modified Files:
pkgsrc/devel/ruby-railties61: distinfo
Log Message:
devel/ruby-railties61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* In `zeitwerk` mode, setup the `once` autoloader first, and the `main` autoloader after it.
This order plays better with shared namespaces.
*Xavier Noria*
* Handle paths with spaces when editing credentials.
*Alex Ghiculescu*
* Support Psych 4 when loading secrets.
*Nat Morcos*
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-railties61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:33:27 UTC 2022
Modified Files:
pkgsrc/textproc/ruby-actiontext61: distinfo
Log Message:
textproc/ruby-actiontext61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* Fix Action Text extra trix content wrapper.
*Alexandre Ruban*
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/textproc/ruby-actiontext61/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 5 03:34:37 UTC 2022
Modified Files:
pkgsrc/devel/ruby-activejob61: distinfo
pkgsrc/mail/ruby-actionmailer61: PLIST distinfo
pkgsrc/www/ruby-rails61: distinfo
Log Message:
Update rest of Ruby on Rails 61 components.
No change except version.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/devel/ruby-activejob61/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/ruby-actionmailer61/PLIST
cvs rdiff -u -r1.11 -r1.12 pkgsrc/mail/ruby-actionmailer61/distinfo
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/ruby-rails61/distinfo
Revision 1.12 / (download) - annotate - [select for diffs], Thu May 5 03:28:21 2022 UTC (23 months, 2 weeks ago) by taca
Branch: MAIN
Changes since 1.11: +4 -4
lines
Diff to previous 1.11 (colored)
devel/ruby-activesupport61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.
*lvaro MartÃn Fraguas*
## Rails 6.1.5 (March 09, 2022) ##
* Fix `ActiveSupport::Duration.build` to support negative values.
The algorithm to collect the `parts` of the `ActiveSupport::Duration`
ignored the sign of the `value` and accumulated incorrect part values. This
impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but
not `ActiveSupport::Duration#eql?` (which is dependent on `value`).
*Caleb Buxton*, *Braden Staudacher*
* `Time#change` and methods that call it (eg. `Time#advance`) will now
return a `Time` with the timezone argument provided, if the caller was
initialized with a timezone argument.
Fixes [#42467](https://github.com/rails/rails/issues/42467).
*Alex Ghiculescu*
* Clone to keep extended Logger methods for tagged logger.
*Orhan Toy*
* `assert_changes` works on including `ActiveSupport::Assertions` module.
*Pedro Medeiros*
Revision 1.11 / (download) - annotate - [select for diffs], Sun Mar 13 15:11:50 2022 UTC (2 years, 1 month ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base
Branch point for: pkgsrc-2022Q1
Changes since 1.10: +4 -4
lines
Diff to previous 1.10 (colored)
www/ruby-rails61: update to 6.1.4.7 Ruby on Rails 6.1.4.7 is not latest version but it should be easy to pull-up to pkgsrc-2021Q4. Changes are in devel/ruby-activestorage61 only. ## Rails 6.1.4.7 (March 08, 2022) ## * Added image transformation validation via configurable allow-list. Variant now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments. [CVE-2022-21831]
Revision 1.9.2.1 / (download) - annotate - [select for diffs], Thu Mar 3 19:11:59 2022 UTC (2 years, 1 month ago) by bsiegert
Branch: pkgsrc-2021Q4
Changes since 1.9: +4 -4
lines
Diff to previous 1.9 (colored) next main 1.10 (colored)
Pullup ticket #6589 - requested by taca
www/wuby-rails61: security fix
Revisions pulled up:
- databases/ruby-activerecord61/distinfo 1.10
- devel/ruby-activejob61/distinfo 1.10
- devel/ruby-activemodel61/distinfo 1.10
- devel/ruby-activestorage61/distinfo 1.10
- devel/ruby-activesupport61/distinfo 1.10
- devel/ruby-railties61/distinfo 1.10
- lang/ruby/rails.mk 1.113
- mail/ruby-actionmailbox61/distinfo 1.10
- mail/ruby-actionmailer61/distinfo 1.10
- textproc/ruby-actiontext61/distinfo 1.10
- www/ruby-actioncable61/distinfo 1.10
- www/ruby-actionpack61/distinfo 1.10
- www/ruby-actionview61/distinfo 1.10
- www/ruby-rails61/distinfo 1.10
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 13 07:35:06 UTC 2022
Modified Files:
pkgsrc/databases/ruby-activerecord61: distinfo
pkgsrc/devel/ruby-activejob61: distinfo
pkgsrc/devel/ruby-activemodel61: distinfo
pkgsrc/devel/ruby-activestorage61: distinfo
pkgsrc/devel/ruby-activesupport61: distinfo
pkgsrc/devel/ruby-railties61: distinfo
pkgsrc/lang/ruby: rails.mk
pkgsrc/mail/ruby-actionmailbox61: distinfo
pkgsrc/mail/ruby-actionmailer61: distinfo
pkgsrc/textproc/ruby-actiontext61: distinfo
pkgsrc/www/ruby-actioncable61: distinfo
pkgsrc/www/ruby-actionpack61: distinfo
pkgsrc/www/ruby-actionview61: distinfo
pkgsrc/www/ruby-rails61: distinfo
Log Message:
www/ruby-rails61: update to 6.1.4.6
This update contains security fix for CVE-2022-23633 in ruby-actionpack61.
Active Support 6.1.4.6 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 6.1.4.5 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
Other packages have no change.
Revision 1.10 / (download) - annotate - [select for diffs], Sun Feb 13 07:35:04 2022 UTC (2 years, 2 months ago) by taca
Branch: MAIN
Changes since 1.9: +4 -4
lines
Diff to previous 1.9 (colored)
www/ruby-rails61: update to 6.1.4.6 This update contains security fix for CVE-2022-23633 in ruby-actionpack61. Active Support 6.1.4.6 (2022-02-11) * Fix Reloader method signature to work with the new Executor signature. Action Pack 6.1.4.5 (2022-02-11) * Under certain circumstances, the middleware isn't informed that the response body has been fully closed which result in request state not being fully reset before the next request. [CVE-2022-23633] Other packages have no change.
Revision 1.9 / (download) - annotate - [select for diffs], Sun Dec 19 05:23:00 2021 UTC (2 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base
Branch point for: pkgsrc-2021Q4
Changes since 1.8: +4 -4
lines
Diff to previous 1.8 (colored)
devel/ruby-activesupport61: update to 6.1.4.4 No change except version.
Revision 1.8 / (download) - annotate - [select for diffs], Tue Oct 26 10:19:25 2021 UTC (2 years, 5 months ago) by nia
Branch: MAIN
Changes since 1.7: +2 -2
lines
Diff to previous 1.7 (colored)
archivers: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Could not be committed due to merge conflict: devel/py-traitlets/distinfo The following distfiles were unfetchable (note: some may be only fetched conditionally): ./devel/pvs/distinfo pvs-3.2-solaris.tgz ./devel/eclipse/distinfo eclipse-sourceBuild-srcIncluded-3.0.1.zip
Revision 1.7 / (download) - annotate - [select for diffs], Thu Oct 7 13:44:02 2021 UTC (2 years, 6 months ago) by nia
Branch: MAIN
Changes since 1.6: +1 -2
lines
Diff to previous 1.6 (colored)
devel: Remove SHA1 hashes for distfiles
Revision 1.6 / (download) - annotate - [select for diffs], Sun Aug 22 07:16:46 2021 UTC (2 years, 7 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base,
pkgsrc-2021Q3
Changes since 1.5: +5 -5
lines
Diff to previous 1.5 (colored)
www/ruby-rails61: update to 6.1.4.1
Update Ruby on Rails 6.1 pacakges to 6.1.4.1.
Real changes are in Action Pack (www/ruby-actionpack61).
## Rails 6.1.4.1 (August 19, 2021) ##
* [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
Specially crafted "X-Forwarded-Host" headers in combination with certain
"allowed host" formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.
Revision 1.5 / (download) - annotate - [select for diffs], Sun Jul 4 07:58:17 2021 UTC (2 years, 9 months ago) by taca
Branch: MAIN
Changes since 1.4: +5 -5
lines
Diff to previous 1.4 (colored)
devel/ruby-activesupport61: update to 6.0.4 Active Support * MemCacheStore: convert any underlying value (including false) to an Entry. See #42559. (Alex Ghiculescu) * Fix bug in number_with_precision when using large BigDecimal values. Fixes #42302. (Federico Aldunate, Zachary Scott) * Check byte size instead of length on secure_compare. (Tietew) * Fix Time.at to not lose :in option. (Ryuta Kamizono) * Require a path for config.cache_store = :file_store. (Alex Ghiculescu) * Avoid having to store complex object in the default translation file. (Rafael Mendonça França)
Revision 1.4 / (download) - annotate - [select for diffs], Sat May 8 14:08:55 2021 UTC (2 years, 11 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base,
pkgsrc-2021Q2
Changes since 1.3: +5 -5
lines
Diff to previous 1.3 (colored)
www/ruby-rails61: update to 6.1.3.2
Real changes are in www/ruby-actionpack61 only.
## Rails 6.1.3.2 (May 05, 2021) ##
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
Revision 1.3 / (download) - annotate - [select for diffs], Sun Apr 11 13:28:01 2021 UTC (3 years ago) by taca
Branch: MAIN
Changes since 1.2: +5 -5
lines
Diff to previous 1.2 (colored)
www/ruby-rails61: update to 6.1.3.1 Real changes are in devel/devel/ruby-activestorage61 only. ## Rails 6.1.3.1 (March 26, 2021) ## * Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data. *George Claghorn*
Revision 1.2 / (download) - annotate - [select for diffs], Sun Feb 28 15:42:39 2021 UTC (3 years, 1 month ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base,
pkgsrc-2021Q1
Changes since 1.1: +5 -5
lines
Diff to previous 1.1 (colored)
www/ruby-rails61: update to 6.1.3
Rails 6.1.3 (February 17, 2021)
[ActionPack]
* Re-define routes when not set correctly via inheritance.
*John Hawthorn*
[ActiveRecord]
* Fix the MySQL adapter to always set the right collation and charset
to the connection session.
*Rafael Mendonça França*
* Fix MySQL adapter handling of time objects when prepared statements
are enabled.
*Rafael Mendonça França*
* Fix scoping in enum fields using conditions that would generate
an IN clause.
*Ryuta Kamizono*
* Skip optimised #exist? query when #include? is called on a relation
with a having clause
Relations that have aliased select values AND a having clause that
references an aliased select value would generate an error when
#include? was called, due to an optimisation that would generate
call #exists? on the relation instead, which effectively alters
the select values of the query (and thus removes the aliased select
values), but leaves the having clause intact. Because the having
clause is then referencing an aliased column that is no longer
present in the simplified query, an ActiveRecord::InvalidStatement
error was raised.
An sample query affected by this problem:
Author.select('COUNT(*) as total_posts', 'authors.*')
.joins(:posts)
.group(:id)
.having('total_posts > 2')
.include?(Author.first)
This change adds an addition check to the condition that skips the
simplified #exists? query, which simply checks for the presence of
a having clause.
Fixes #41417
*Michael Smart*
* Increment postgres prepared statement counter before making a
prepared statement, so if the statement is aborted without Rails
knowledge (e.g., if app gets kill -9d during long-running query or
due to Rack::Timeout), app won't end up in perpetual crash state for
being inconsistent with Postgres.
*wbharding*, *Martin Tepper*
Revision 1.1 / (download) - annotate - [select for diffs], Sun Feb 14 13:53:25 2021 UTC (3 years, 2 months ago) by taca
Branch: MAIN
devel/ruby-activesupport61: add package version 6.1.2.1 A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing. This is for Ruby on Rails 6.1.